diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
index 4f42947a85..3b9034e5cc 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json
@@ -73,7 +73,8 @@
           "RequestRecordInformation",
           "FileUnfiledRecords",
           "RejectRecords",
-          "LinkToRecords"
+          "LinkToRecords",
+          "ManageAccessControls"
       ]
    },
    {
@@ -124,7 +125,6 @@
           "DeleteRecords",
           "TriggerAnEvent",
           "CreateModifyDestroyRoles",
-          "CreateModifyDestroyUsersAndGroups",
           "PasswordControl",
           "EnableDisableAuditByTypes",
           "SelectAuditMetadata",
@@ -143,8 +143,10 @@
           "RemoveFromHold",
           "FileHoldReport",
           "DeleteHold",
-          "EditHold",
           "EndRetention"
+          "EditHold",
+          "ManageAccessControls"
+
       ]
    },
    {
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatch.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatch.java
index 824a06098e..1226edf1ee 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatch.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatch.java
@@ -35,7 +35,7 @@ public class RMv22CapabilityPatch extends CapabilityPatch
      */
     protected void applyCapabilityPatch(NodeRef filePlan) 
     {
-        // add new capability
+        // add new capbilities
         addCapability(filePlan,
                       "FileDestructionReport",
                       FilePlanRoleService.ROLE_ADMIN,
@@ -52,5 +52,11 @@ public class RMv22CapabilityPatch extends CapabilityPatch
                       "RemoveFromHold",
                       FilePlanRoleService.ROLE_ADMIN,
                       FilePlanRoleService.ROLE_RECORDS_MANAGER);
+        
+        // @see https://issues.alfresco.com/jira/browse/RM-2058
+        addCapability(filePlan, 
+        		      "ManageAccessControls", 
+        		      FilePlanRoleService.ROLE_SECURITY_OFFICER,
+                      FilePlanRoleService.ROLE_RECORDS_MANAGER);        
     }
 }
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22HoldCapabilityPatch.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22HoldCapabilityPatch.java
index c0582e0f26..a3967cc1c5 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22HoldCapabilityPatch.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22HoldCapabilityPatch.java
@@ -23,7 +23,7 @@ import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
 import org.alfresco.service.cmr.repository.NodeRef;
 
 /**
- * RM v2.2 patch to add new hold releated capabilities.
+ * RM v2.2 patch to update capabilities.
  *
  * @author Roy Wetherall
  * @since 2.2
diff --git a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/PatchV22Suite.java b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/PatchV22Suite.java
new file mode 100755
index 0000000000..186ae0876e
--- /dev/null
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/PatchV22Suite.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2005-2014 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.patch.v22;
+
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+import org.junit.runners.Suite.SuiteClasses;
+
+/**
+ * patch.v22 unit test suite
+ *
+ * @author Roy Wetherall
+ * @since 2.3
+ */
+@RunWith(Suite.class)
+@SuiteClasses(
+{
+    RMv22RemoveInPlaceRolesFromAllPatchUnitTest.class,
+    RMv22CapabilityPatchUnitTest.class
+})
+public class PatchV22Suite
+{
+}
diff --git a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatchUnitTest.java b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatchUnitTest.java
new file mode 100644
index 0000000000..aa080f0977
--- /dev/null
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/patch/v22/RMv22CapabilityPatchUnitTest.java
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2005-2014 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.patch.v22;
+
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.Collections;
+
+import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
+import org.alfresco.module.org_alfresco_module_rm.test.util.BaseUnitTest;
+import org.alfresco.service.cmr.security.AuthorityType;
+import org.junit.Test;
+import org.mockito.InjectMocks;
+
+/**
+ * Unit test for RMv22CapabilityPatch
+ * 
+ * @author Roy Wetherall
+ */
+public class RMv22CapabilityPatchUnitTest extends BaseUnitTest 
+{
+	/** patch */
+	private @InjectMocks RMv22CapabilityPatch patch;
+	
+	/**
+	 * Given that I am upgrading an existing repository to v2.2
+	 * When I execute the patch
+	 * Then the capabilities are updated
+	 */
+	@Test
+	public void executePatch()
+	{
+		when(mockedFilePlanService.getFilePlans())
+			.thenReturn(Collections.singleton(filePlan));
+		when(mockedAuthorityService.getName(eq(AuthorityType.GROUP), anyString()))
+			.thenReturn(
+					FilePlanRoleService.ROLE_ADMIN,
+                    FilePlanRoleService.ROLE_RECORDS_MANAGER,
+					FilePlanRoleService.ROLE_ADMIN,
+                    FilePlanRoleService.ROLE_RECORDS_MANAGER,
+					FilePlanRoleService.ROLE_ADMIN,
+                    FilePlanRoleService.ROLE_RECORDS_MANAGER,
+					FilePlanRoleService.ROLE_ADMIN,
+                    FilePlanRoleService.ROLE_RECORDS_MANAGER, 
+      		      	FilePlanRoleService.ROLE_SECURITY_OFFICER,
+      		      	FilePlanRoleService.ROLE_RECORDS_MANAGER);
+		
+		// execute patch
+		patch.applyInternal();
+		
+		// verify that the correct capabilities have been added
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_ADMIN, 
+				"FileDestructionReport", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_RECORDS_MANAGER, 
+				"FileDestructionReport", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_ADMIN, 
+				"CreateHold", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_RECORDS_MANAGER, 
+				"CreateHold", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_ADMIN, 
+				"AddToHold", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_RECORDS_MANAGER, 
+				"AddToHold", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_ADMIN, 
+				"RemoveFromHold", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_RECORDS_MANAGER, 
+				"RemoveFromHold", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_RECORDS_MANAGER, 
+				"ManageAccessControls", 
+				true);
+		verify(mockedPermissionService, times(1)).setPermission(
+				filePlan, 
+				FilePlanRoleService.ROLE_SECURITY_OFFICER, 
+				"ManageAccessControls", 
+				true);
+	}
+	
+}
diff --git a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/AllUnitTestSuite.java b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/AllUnitTestSuite.java
index 70d5e7247c..bd622f09f3 100644
--- a/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/AllUnitTestSuite.java
+++ b/rm-server/unit-test/java/org/alfresco/module/org_alfresco_module_rm/test/AllUnitTestSuite.java
@@ -32,7 +32,7 @@ import org.alfresco.module.org_alfresco_module_rm.job.DispositionLifecycleJobExe
 import org.alfresco.module.org_alfresco_module_rm.jscript.app.evaluator.FrozenEvaluatorUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.jscript.app.evaluator.TransferEvaluatorUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.model.compatibility.DictionaryBootstrapPostProcessorUnitTest;
-import org.alfresco.module.org_alfresco_module_rm.patch.v22.RMv22RemoveInPlaceRolesFromAllPatchUnitTest;
+import org.alfresco.module.org_alfresco_module_rm.patch.v22.PatchV22Suite;
 import org.alfresco.module.org_alfresco_module_rm.record.RecordMetadataBootstrapUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.record.RecordServiceImplUnitTest;
 import org.alfresco.module.org_alfresco_module_rm.recorded.version.config.RecordedVersionConfigGetTest;
@@ -84,20 +84,19 @@ import org.junit.runners.Suite.SuiteClasses;
     FileReportActionUnitTest.class,
     UnlinkFromActionUnitTest.class,
     DeclareAsVersionRecordActionUnitTest.class,
-
-    // patches
-    RMv22RemoveInPlaceRolesFromAllPatchUnitTest.class,
-
+    
     // recorded version config
     RecordedVersionConfigGetTest.class,
     RecordedVersionConfigPostTest.class,
-    
+
     // bootstrap
     BootstrapImporterModuleComponentUnitTest.class,
     RecordContributorsGroupBootstrapComponentUnitTest.class,
     
     // suites by package
-    CapabilityDeclarativeConditionSuite.class
+    CapabilityDeclarativeConditionSuite.class,
+    PatchV22Suite.class
+
 })
 public class AllUnitTestSuite
 {